Initially spotted on a server by a Reddit user in March 2016 and later identified by the GuardiCore Global Sensor Network in January 2017, Bondnet is a botnet currently used to mine cryptocurrencies, primarily Monero. It is comprised of thousands of infected Windows servers and its controller, operating under the alias "Bond007.01" and "leebond986," uses it to earn approximately one thousand USD worth of Monero per day. Targeted systems are breached using various public exploits and then infected with a Windows Management Interface (WMI) trojan used to communicate with the attacker's C2 server. Bondnet collects system metadata such as the computer name, RDP port number used, guest username, OS version and language, number of active processors, system uptime, and the CPU architecture and sends it to the C2 server. GuadiCore believes the attacker behind the Bondnet botnet may be based in China since the C2 server is compiled on a Chinese server and some of the code pasted into the attacker's tools originates from Chinese websites. GuardiCore provides a free tool to detect and clean Bondnet infections, along with manual instructions, here.

Targeted Operating Systems:
Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Attack Vectors:
Brute-forcing weak login credentials, exploitation of phpMyAdmin configuration flaws and the exploitation of vulnerabilities within JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Struts 2, Apache Tomcat, and Oracle Weblogic.

Reporting and Technical Details:


Image Source: GuardiCore